A group of security researchers from Ensilo discovered a new malware evasion technique, dubbed Process Doppelgänging, that could be implemented by vxers to bypass most antivirus solutions and security software.
The technique is a fileless code injection method that exploits a built-in Windows function and an undocumented implementation of the Windows process loader.
The Process Doppelgänging technique works on almost any Windows version starting from Windows Vista to the latest version of Windows 10.
Process Doppelgänging presents similarities to another technique dubbed Process Hollowing, but it relies upon the Windows mechanism of NTFS Transactions.
The Process Hollowing could be used by attackers to replace the memory of a legitimate process with a malicious code, in this way security software are tricked into believing that the legitimate process is running.
Fortunately, all modern security software are able to detect Process Hollowing attacks.The Process Doppelgänging leverages the Windows NTFS Transactions and an outdated implementation of Windows process loader originally designed for Windows XP to carry on the attack.
NTFS Transaction is a Windows feature that was implemented to integrate transactions into the NTFS file system, allowing it easier for application developers to handle errors and preserve data integrity, and of course to manage files and directories.
“The goal of the technique is to allow a malware to run arbitrary code (including code that is known to be malicious) in the context of a legitimate process on the target machine,” said the security duo.
“Very similar to process hollowing but with a novel twist. The challenge is doing it without using suspicious process and memory operations such as SuspendProcess, NtUnmapViewOfSection.”
“In order to achieve this goal we leverage NTFS transactions. We overwrite a legitimate file in the context of a transaction. We then create a section from the modified file (in the context of the transaction) and create a process out of it. It appears that scanning the file while it’s in transaction is not possible by the vendors we checked so far (some even hang) and since we rollback the transaction, our activity leaves no trace behind.”
According to the tests conducted by the researchers, which used Process Doppelgänging to run the well-known password-stealing utility Mimikatz without being detected, the technique evades detection from most antiviruses as reported in the following table:
Liberman explained that the Process Doppelgänging works on even the latest version of Windows 10, except Windows 10 Redstone and Fall Creators Update, both released earlier this year. On these later releases, the attack triggers a BSOD (blue screen of death) condition.
Fortunately, it is technically challenging to power Process Doppelgänging attacks due to the need to know “a lot of undocumented details on process creation.”
The bad news is that the attack “cannot be patched since it exploits fundamental features and the core design of the process loading mechanism in Windows.”
(Security Affairs – Process Doppelgänging, hacking)